DAFI63-101/20-101 16 FEBRUARY 2024 37
program initiation, whichever occurs later. Review the APB at each subsequent milestone
decision and full rate production to determine if updates or changes are necessary. Update the
APB at significant or critical 10 USC Section 4371-4375 (Nunn-McCurdy) cost breaches.
4.5. Risk-Based Program Management and Decision Making. PMs for all programs,
including commercial-off-the-shelf (COTS) and non-developmental item programs, identify,
analyze, track and mitigate risks addressed during program reviews. (T-1)
4.5.1. The PM prepares a risk management plan that documents the program’s use of standard
risk management processes (T-0) (reference pathway supplements, DAFPAM 63-128 or DoDI
5000.83_DAFI 63-113, and the Department of Defense Risk, Issue, and Opportunity
Management Guide for Defense Acquisition Programs). Among other content, the risk
management plan addresses how the program is performing and integrating risk-based source
selection, system safety and mission assurance, T&E, threat, intelligence supportability,
acquisition security, supply chain, ESOH, Human System Integration (HSI), industrial base
constraints, and supply chain risk management. Additionally, it addresses cost, schedule,
technical, product support, operational, cybersecurity, and system security risks. The risk
management plan for space programs addresses risk-based performance for space debris
mitigation assessments and documentation for space and launch systems per AFI 91-202, The
US Air Force Mishap Prevention Program. It also describes the responsibilities of cross-
functional risk management Integration Product Team or equivalent. The risk management
plan can be incorporated into the Acquisition Strategy or other appropriate planning document.
Link the risk management plan to risk management activities in other planning documents and
continually update the risk management process and its implementation throughout the
system’s life cycle.
4.5.1.1. The PM uses the likelihood criteria, consequence criteria, and 5x5 risk matrix
provided in Attachment 3, Figure A3.1., Figure A3.2, and Tables A3.1-A3.4, to evaluate,
document, and present cost, schedule, performance, and other program risks. (T-1) These
likelihood and consequence criteria support risk comparability across programs. However,
if the PM determines that the criteria are not appropriate for assessing and managing a
program’s risks, the PM may tailor the criteria, if approved by the MDA, in accordance
with the tailoring guidance in Chapter 1. Reference DAFPAM 63-128 for more
information.
4.5.1.2. The PM will prepare risk handling and mitigation plans for all identified 5x5 risk
matrix high, moderate, and selected low risks unless waived by the MDA. The PM ensures
a mechanism is in place to track and archive all risks and handling and mitigation plans
throughout the program’s life cycle.
4.5.1.3. The PM presents risk information as a part of all programs, technical, and
milestone decision reviews or to support other decision points unless waived by the MDA.
On the risk matrix, the PM plots, and is prepared to discuss, each of the program’s
identified high and moderate risks and their corresponding handling and mitigation plans
unless waived by the MDA. The PM includes all High and Serious ESOH and technical
program risks identified using MIL-STD-882E, DoD Standard Practice for System Safety,
plotted on the standard 4x5 Risk Assessment Code (RAC) matrix using the translation
matrix in Attachment 3 unless waived by the MDA. The PM coordinates cybersecurity
risk information with the MDA and AO prior to decision reviews, reference DoDI 5000.90,